OpenVPN Blog IoT Security Remote Access Cloud Security VPN Infosec Events Newsletter

Understanding how split tunneling works with OpenVPN Access Server

A basic, personal virtual private network (VPN), such as Private Tunnel, routes the user’s traffic to the internet through an encrypted VPN tunnel. Someone might use the personal VPN service to protect sensitive data on public WiFi or to get around geographic content restrictions. Business VPNs are different, however. While companies may provide them to remote workers to protect them on public WiFi, more often, the real purpose is to obtain secure access to the business’s private local network resources.

What if you have a VPN that can’t handle the load? You may want to enable a split tunnel connection. With split tunneling, traffic not destined to your private network does not go through the VPN. That’s one reason you may want to set it up.

Here’s more information on what it is, why you would want to set it up, and how to do that with the OpenVPN Access Server split tunneling feature.

What is split tunneling?

When a VPN client connects to OpenVPN Access Server, it creates a tunnel. Data transferred is encrypted, through the Internet to the VPN server and connected to your Internal LAN. OpenVPN Access Server can be configured to route all traffic destined to the internet and not just the internal LAN through that tunnel as well.

Note: OpenVPN Connect, our VPN client, is available for Microsoft Windows, Mac, Linux, Android, and iOS.

Your employee is connected to the VPN and enters google.com into their browser.. The web traffic might follow this (simplified) route:

  1. From their laptop, it goes to their home router
  2. Then it crosses over the Internet inside of the VPN tunnel
  3. To the VPN server on your Internal LAN
  4. That sends it through the business’s router and internet connection
  5. And to google.com, then back the way it came to the laptop

When you set up split tunneling, only traffic that is destined for the subnets on your Internal LAN will go through the VPN tunnel. Other traffic will go through your employee’s normal Internet connection.

Here’s a basic diagram of how traffic flows when split tunneling is enabled on OpenVPN Access Server:

Good to Know

Inverse split tunneling sends all traffic, except that from designated apps, through a safe tunnel.

Dynamic split tunneling enhances a split tunnel by configuring it to use Domain Name System (DNS) for routing websites.

Why would I want to set up split tunneling?

  • Saves Bandwidth: Split tunneling sends VPN-encrypted traffic through the alternate tunnel at a slower rate. Performance is improved by routing unencrypted traffic over a public network.
  • Secure Connections for Remote Work: The growth of remote and hybrid workforces increased the need for secure remote access to corporate networks without home internet service providers (ISPs) throttling.
  • Local Area Network (LAN) Access: VPN encryption may block LAN access, but split tunneling lets users access local network devices (e.g., printers) via LAN while maintaining VPN security.
  • Use a Home IP Address Needed When Traveling: Conducting online activities that require a local Internet Protocol (IP) address can be tricky when traveling. VPN split tunneling lets a user connect to home country resources.

What are the possible risks of split tunneling?

  • By excluding certain traffic from the encryption of the VPN, a third party (such as an Internet Service Provider) could access that traffic
  • If you need to enforce business security policies on employee Internet traffic, such as anti-virus, anti-spam, and content filtering, you cannot do this with split tunneling
  • Attackers can use an endpoint infected with malware or other virus to access user IDs and passwords, or to exploit relationships connected to the device.
  • VPN split tunnels and firewalls must be properly configured so they aren’t exposed from the alternate, unencrypted tunnel.

How do I set it up in OpenVPN Access Server?

In the Admin Web UI, you can start split tunneling with a simple click of a toggle button. Under Configuration > VPN Settings > Routing, switch “Should client Internet traffic be routed through the VPN?” to No. Once set to ‘no’, traffic destined to your private networks will traverse the VPN. Other traffic will bypass the VPN.

In addition to this setting, you also need to define the private subnets clients need access. You can do this under Configuration > VPN Settings > Routing by specifying the subnets in the input field with the label: “Specify the private subnets to which all clients should be given access (one per line)”

Related Resources

Troubleshooting Reaching Systems Over The VPN Tunnel

Reach OpenVPN Clients Directly From A Private Network

Site-To-Site VPN Routing Explained In Detail

Share this story: